SELinux: Show current module policy
 

I have a Cent6 box running SELinux that I need to modify SELinux policy on. The service that I need to make the change already has a policy file in /etc/selinux/targeted/modules/active/modules/[service].pp. I want to append to the existing rules, not overwrite them with a new module. How do I decompile the .pp file to view its contents? My intention would be to generate a .te file from the .pp file, merge it with my new .te file, and replace the existing policy.

Simple answer (not that you'll like it) is you don't (OK, AFAIK). Since you just want to add to an existing policy just create the necessary [whatevername].te, .if and .fc files, add whatever rules you need then use the provided Makefile and 'semodule' tool to compile and add your additional rules to the module store.

From and administration standpoint I find this hard to believe. There must be some way to show what selinux rules the kernel is enforcing. There has to be a better way than just appending to a set of functionally write-only files whenever a change is needed.

That is a completely different question.


Look at the selinux-policy-%{version}.el5.src.rpm and http://oss.tresys.com/projects/refpolicy.

Well, that still doesn't answer my question as it assumes the bundled policy has not already been appended. If a previous admin has already appended to the policy, how do I figure out what has been done? I would like to find a solution that prints exactly what a running kernel is enforcing.

Use the tools from the setools package.